SSO Keycloak session for Moodle LMS is not maintained

[BraveEvidence]

I have a website in which I have integrated keycloak sign in, I have also integrated keycloak sign in for moodle using this plugin. Suppose I sign in my website using keycloak and then open moodle I had to sign in again, the keycloak session is not maintained. Suppose my website url is https://portal-uat.mycomapnyname.vn/ and my Moodle LMS is at http://lms.mycompanyname.vn, is it because they are located at different subdomains, do I need to fix it from AWS side where both my apps are deployed or is there something else wrong which I can fix it from the admin keycloak portal

[weilai-irl]

Hi @BraveEvidence

Please consider these two settings in Moodle:

• Force users to log in (forcelogin) on the "Site security settings" page (https://url.to.moodle/admin/settings.php?section=sitepolicies). If this is enabled, all visitors to the Moodle site who are not logged in will be automatically redirected to the Moodle login page (https://url.to.moodle/login/index.php).
• Force redirect (forcelogin) on the "Other options" page in the auth_oidc configuration page (https://url.to.moodle/admin/settings.php?section=authsettingoidc). If this is enabled, then all users who are not logged in to Moodle accessing the login page (https://url.to.moodle/login/index.php) will be automatically redirected to the configured auth_oidc authorization endpoint, without the need for the user to click the auth_oidc login button. If the user is already logged to the IdP, they should be redirected back to Moodle logged in using SSO.

Note the first setting is part of Moodle core, while the second one is part of the auth_oidc plugin. You may want to try out different combinations of these settings to achieve your desired user experience.

There is actually a third setting - Silent Login Mode (silentloginmode) also on the "Other options" page - which would try to perform silent login. Please read the setting description for details. Note this setting has only be tested against Microsoft Entra ID IdP, and not on Keycloak, so please use with care.

Regards, Lai